Ten Deadly Mistake While Doing Hacking? – Making the wrong choices in your security testing can wreak havoc on your
work and possibly even your career. In this Blog, I discuss ten potential pitfalls to be keenly aware of when performing your security assessment work.
Not Getting Approval
Getting documented approval in advance, such as an email, an internal memo, or a formal contract for your security testing efforts — whether it’s from management or from your client — is a must. Outside of laws on the books that might affect your testing, it’s your “Get Out of Jail Free” card.
Allow no exceptions — especially when you’re doing work for clients. Make sure to get a signed copy of this document for your files to ensure that you’re protected.
Assuming That You Can Find All Vulnerabilities
So many security vulnerabilities exist — known and unknown — that you won’t find them all during your testing. Don’t make any guarantees that you’ll find all the security vulnerabilities in a system. You’ll be starting something that you can’t finish.
Stick to the following tenets:
- Be realistic.
- Use good tools.
- Get to know your systems, and practice honing your techniques.
- Improve over time.
Assuming That You Can Eliminate All Vulnerabilities
When it comes to networks, computers, and applications, ironclad security isn’t attainable. You can’t possibly prevent all security vulnerabilities, but you’ll do fine if you uncover the low-hanging fruit that creates most of the risk and accomplish these tasks:
- Follow solid practices. The security essentials that have been around for decades.
- Patch and harden your systems.
- Apply reasonable security countermeasures where you can, based on your budget and your business needs.
Many chapters, such as the operating system (OS) Blog, cover These areas.
It’s also important to remember that you’ll have unplanned costs. You may find lots of security problems and need the budget to plug the holes. Perhaps you now have a due-care problem on your hands and have to fix the issues uncovered. For this reason, you need to approach information security from a risk perspective and have all the right people on board.
Performing Tests Only Once
Security assessments are mere snapshots of your overall state of security. New threats and vulnerabilities surface continually, so you must perform these tests periodically and consistently to make sure that you keep up with the latest security defenses for your systems. Develop both short- and long-term plans for carrying out your security tests over the next few months and years.
Thinking That You Know It All
Even though some people in the field of IT beg to differ, no one working in IT or information security knows everything about this subject. Keeping up with all the software versions, hardware models, and emerging technologies, not to mention the associated security threats and vulnerabilities, is impossible. True IT and information security professionals know their limitations — that is, they know what they don’t know. They do know where to get answers through myriad online resources, such as those that I list in the appendix.
Running Your Tests Without Looking at Things from a Hacker’s Viewpoint
Think about how a malicious outsider or rogue insider can attack your network and computers. Get a fresh perspective; try to think outside the proverbial box about how systems can be taken offline, information can be stolen, and so on.
Study criminal and hacker behaviors and common hack attacks so you know what to test for. I’m continually blogging about this subject at https://www.principlelogic.com . Check out the appendix for other trusted resources that can help you in this area.
Not Testing the Right Systems
Focus on the systems and information that matter most. You can hack away all day at a stand-alone desktop running Windows XP or at a training-room printer with nothing of value, but does that do any good? Probably not, but you never know. Your biggest risks may be on the seemingly least critical system. Focus on what’s both urgent and important.
Not Using the Right Tools
Without the right tools for the task, getting anything done without driving yourself nuts is impossible. It’s no different from working around the house, on your car, or in your garden, in the sense that good tools are a must. Download the free and trial-version tools that I mention throughout this book and in the appendix. Buy commercial tools when you can; they’re usually worth every penny. No one security tool does everything, though.
Building your toolbox and getting to know your tools well will save you gobs of effort, you’ll impress others with your results, and you’ll help minimize your business’s risks.
Pounding Production Systems at the Wrong Time
One of the best ways to tick off your manager or lose your client’s trust is to run security tests against production systems when everyone is using them. This problem is especially serious for companies that run old, feeble operating systems or legacy applications. If you try to test systems at the wrong time, you should expect the critical ones to be negatively affected at the worst moment.
Make sure that you know the best time to perform your testing, which may be in the middle of the night. (I never said that information security testing was easy!) Odd testing schedules may justify using security tools and other supporting utilities to automate certain tasks, such as vulnerability scanners that allow you to run scans at certain times.
Outsourcing Testing and Not Staying Involved
Outsourcing is great, but you must stay involved throughout the entire process. Don’t hand the reins of your security testing to a third-party consultant or a managed service provider without following up and staying on top of what’s taking place. You won’t be doing your manager or clients any favors by staying out of third-party vendors’ hair. Get in their hair (unless, of course, they’re bald like me, but you know what I mean). You can’t outsource accountability, so stay in touch!
If You Like This Post Please Comment Down And For More Hacking Content Click Here